11:25 AM

Department Of Energy Confirms Data Breach

Attackers targeted employees' personal data, rather than top secret energy or nuclear information, investigators say.

Online attackers successfully penetrated the Department of Energy (DOE) network in the middle of January and obtained copies of personally identifiable information (PII) pertaining to several hundred of the agency's employees and contractors.

The agency first detailed the "cybersecurity incident," which affected the network at the agency's headquarters, in a memo circulated to all employees Friday. "We believe several hundred DOE employees' and contractors' PII may have been affected. As individual affected employees are identified, they will be notified and offered assistance on steps they can take to protect themselves from potential identity theft," according to the memo.

The DOE has launched a full-scale investigation into the breach, involving its Joint Cybersecurity Coordination Center, or JC3, which helps the agency track and report on all attacks launched against the agency, as well as the DOE's Office of Health, Safety and Security and Inspector General's office, together with one or more federal law enforcement agencies.

So far, the memo noted, "based on the findings of this investigation, no classified data was compromised."

[ For more on military agencies' security worries, see Uncertain State Of Cyber War. ]

According to Alan Paller, director of research for the SANS Institute, the DOE was subjected to a "long-term, intensive campaign" designed to compromise both its headquarters systems, as well as the systems used by its labs, which is where the majority of the agency's most sensitive work takes place. "The first time we saw hard evidence was in 2002 in attacks against Los Alamos," he said via email, referring to the agency's Los Alamos National Laboratory.

The DOE promised to release more details about this breach as they become known, and said that "once the full nature and extent of this incident is known, the Department will implement a full remediation plan," as part of what it said would be "an aggressive effort to reduce the likelihood of these events occurring again."

"These efforts include leveraging the combined expertise and capabilities of the Department's Joint Cybersecurity Coordination Center to address this incident, increasing monitoring across all of the Department's networks and deploying specialized defense tools to protect sensitive assets," according to the memo.

A DOE official, reached by phone, shared a copy of the memo that had been distributed to employees, but said the agency had no further comment on the breach or the investigation, beyond what was already detailed in the memo.

Interestingly, the DOE memo urged all employees "to help minimize impacts and reduce any potential risks" by encrypting all files and emails that contained PII, "including files stored on hard drives or on the shared network." That request suggests that the agency has yet to implement or mandate the use of full-disk encryption tools for all employees and contractors.

"DOE is as good or better than any civilian agency on encryption and sadly they are not very far along at all," said Paller.

Why might attackers have targeted PII for agency employees and contractors? One obvious answer would be to help the attackers design better social engineering attacks, and in particular spear-phishing attacks, of the type that successfully compromised security company RSA in 2011. Such attacks use personalized emails to trick users into opening malicious attachments, which, if not then blocked by information security defenses, can allow attackers to establish a virtual beachhead in the targeted network, and then expand their attack from there to find and steal sensitive data from other systems.

Despite that threat, could this DOE breach have upsides? "The thing that is most interesting to me is the difference between this attack response and nearly every other federal response," said Paller. "Here the top management and the CIO are actively seeking to understand it with a full commitment to fixing the underlying patterns that enabled the attack (that is very rare). The only other government agencies I know [of] that have demonstrated this type of leadership are in Australia."

As a result, the DOE breach may now spur more U.S. federal agencies to improve their cybersecurity posture. "I am really sorry this happened, but it may be catalytic for more rapid improvement of cybersecurity in the U.S.," said Paller. "Given the talent available in the labs, I expect DOE will be an important agent of valuable improvement for the government and critical infrastructure in the U.S."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/6/2013 | 8:48:15 PM
re: Department Of Energy Confirms Data Breach
The Article states:
Interestingly, the DOE memo urged all employees "to help minimize impacts and reduce any potential risks" by encrypting all files and emails that contained PII, "including files stored on hard drives or on the shared network." That request suggests that the agency has yet to implement or mandate the use of full-disk encryption tools for all employees and contractors.

I disagree with the conclusion. Full-disk encryption protects the contents should someone steal the disk drive from the machine. It does not protect the contents of the filesystem if that computer is running and a adversary obtains network access. File encryption is different and would require entering a password to open the files.
User Rank: Apprentice
2/6/2013 | 4:53:12 PM
re: Department Of Energy Confirms Data Breach
Any network can be the objective of successful attacks (DDoS or infiltration hacks) and government agencies would top the list. What makes the difference as the author states is how it is handled. In separate article on the same incident it was stated some 14 servers and a couple of dozen workstations were compromised. The only response of DoE in that article was a non chalant dismissal of it as only PII not classified information. That seems to be a lot of PII and personal information on government systems while sensitive information does not necessarily coincide with classified. I put it in the same category as the ATF CIO that has made a 2+ year focus on mobility devices (putting iPhones in the hands of agents) while they are still using microfiche for tracking weapons sales (like the Sandy Hook variety). My point is there may be more govt CIOs whose prioritization of needs may beg for re-evaluation than just DoE when fundamental services are sacrificed to cutting edge systems with limited ROI.
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
2/6/2013 | 4:38:58 AM
re: Department Of Energy Confirms Data Breach
"Why might attackers have targeted PII for agency employees and contractors?" Isn't the quite obvious answer here, given what the Department of Energy does, to sell that information on the black market? Not just for identity theft, that's somewhat low hanging fruit - but wouldn't this kind of information make it a lot easier for "unfriendly" forces to know who to target (and how to target them) in order to get information?

To think that someone would go to these lengths just to rip someone off and get a new flat screen TV is somewhat ludicrous, and akin to thinking that the world is a safe, sanitary place. I can think of any number of organizations that would be interested in "having a cup of coffee" with properly placed folks at the DoE.

Bottom line - DoE's CIO and/or CISO need to go and the organization needs to seriously re-evaluate how they handle information security.

How old is FIPS 140-2 again? Exactly.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.